[Snort-sigs] how can we alert on web visiting activity?

mary andrews maryandrews22 at ...2420...
Thu Nov 19 14:27:37 EST 2009


we are pulling our hair on this one...

alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
content:"ebay"; nocase; rawbytes; sid:1000002;rev:1;)

we are using snort 2.8.5.1 under win XP and the rawbytes didnt help here
either...




On Thu, Nov 19, 2009 at 2:01 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> What version of Snort are you using?  I have had issues with content
> matching working correctly in the 2.8 branch (as have others at Emerging
> Threats), I was able to get content matching to work as expected by
> using the rawbytes option.  See section 3.5.3 in the Snort manual.
>
> content:"ebay"; nocase; rawbytes;
>
> -evilghost
>
>
> mary andrews wrote:
> > Hello there, we have a testing.rules file with the following 3 lines
> >
> > #testing.rules
> > alert icmp any any -> any any (msg:"$TESTING rule$"; sid:1000001;)
> > alert tcp any any -> any any (msg:"test eBay rule"; flow:established;
> > content:"ebay"; nocase; sid:1000002;rev:1;)
> > we put the rule as generic as we can, of course ebay is just an example.
> >
> > ping any site produces the alert $TESTING rule$ on the dos screen snort
> has
> > been started.
> >
> > But using Internet Explorer to go to ebay, does not produce any alert.
> > Our question is, what part of a rule triggers web visiting activity?
> >
> > thanks,
> > m
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091119/74f220f4/attachment.html>


More information about the Snort-sigs mailing list